WinMX World :: Forum

Tomorrow -- April 1 -- is D-Day for Conficker, as whatever nasty payload it's packing is currently set to activate. What happens come midnight is a mystery: Will it turn the millions of infected computers into spam-sending zombie robots? Or will it start capturing everything you type -- passwords, credit card numbers, etc. -- and send that information back to its masters? heres the site to check it out some more http://tech.yahoo.com/blogs/null/132464;_ylt=ApUXIGXJhIm._s7G9nQjfMgazJV4

On 15 October 2008, Microsoft released an emergency out-of-band patch to fix vulnerability MS08-067, which the worm exploits to spread. The patch applies only to Windows XP SP 2, Windows XP SP 3, Windows 2000 SP4 and Windows Vista; Windows XP SP 1 and earlier are no longer supported.

emphasis mine...

last i looked a lot of MXers and other p2prs are using SP1 cos of the broken TCP/IP of SP2 and SP3.... but there is no fix to protect against conficker/downadup for SP1...

..and daniel... it would be nice to have programmers with those skills working on winmx (imagine if winmx could patch the TCP/IP limit of SP2+ in memory without crashing the system... would definitly be some coding voodoo...) ... but id rather they not have that 'viral' mentality....

Patching tcpip.sys i thought about and tested. After patching tcpip.sys in memory have you ever tried to stream anything to a xbox or PS3? It doesn't work. Ive spent hours trying to work out why an could never find a cure for it. The one and only way is to modify the file itself. But on XP tcpip.sys is loaded at boot up, very early in the boot up process for some reason, i dont why so early but what ever. So back on topic, So winmx would have to reboot a XP machine. Vista though is different, you can patch tcpip.sys and its effective straight away. But again on vista if you use the patch that works in memory you loose xbox360 and PS3 functionality.Now i don't know why it does this and ive seen about the place a few folks with the same error codes i was receiving, but the second i uninstalled the software patch blam it would work instantly.

When making the patch installers i actually considered streamlining in a tcpip patch and wrapped it in a autoit script to fire up and teach folks about what it is. But it was yet another step in the install process and i didn't want to confuse things. I actually have it all built ready, it just never went in.

It seems this beastie has begun updating itself and folks should be on high alert

http://news.cnet.com/8301-1009_3-10215678-83.html

Quote

The Conficker worm is finally doing something--updating via peer-to-peer between infected computers and dropping a mystery payload on infected computers, Trend Micro said on Wednesday. Researchers were analyzing the code of the software that is being dropped onto infected computers but suspect that it is a keystroke logger or some other program designed to steal sensitive data off the machine, said David Perry, global director of security education at Trend Micro.

The software appeared to be a .sys component hiding behind a rootkit, which is software that is designed to hide the fact that a computer has been compromised, according to Trend Micro. The software is heavily encrypted, which makes code analysis difficult, the researchers said.The worm also tries to connect to MySpace.com, MSN.com, eBay.com, CNN.com and AOL.com as a way to test that the computer has Internet connectivity, deletes all traces of itself in the host machine, and is set to shut down on May 3, according to the TrendLabs Malware Blog.

For the concerned there is a simple test located here to check if your machine is possibly compromised.

the confickerworkinggroup.org (149.20.56.65) site does not work in and of itself... and no im not accessing it on a windows machine (the MS issued patch for conficker avoidance was installed a -very- long time ago on my one-token wintendo anyway)...

if the estimated infected computers arent off, it could cause an equivalence of a double in google traffic without the infected users ever knowing .(unless they are above par users and watch their logs)

according the CBS national news, (who still think they are going to use keyloggers)the new estimate of infected users since the "general awareness" period has reached 15 million. Even less then a kb of upload from those users is more then enough to do some major damage.Microsoft has issued a 250k USD bounty for the arrested of the creaters.

I can only hope that the people never get ahold of this technology.While it could easily fight the MPAA,RIAA, and gorups like Media Defender, theres no telling what the general populous would do with that kind of power.

if the estimate of "15 million" is correct a keylogger would fill googles hard drives within minutes of text files. for them to be looking for credit card numbers and bank accounts, It will be their great great great grandkids that find the first one in that garbage of text.

A fix has been posted in almost every page mentioning it.The wiki: http://en.wikipedia.org/wiki/Conficker

Quote

On 15 October 2008, Microsoft released an emergency out-of-band patch for vulnerability MS08-067, which the worm exploits to spread. The patch applies only to Windows XP SP 2, Windows XP SP 3, Windows 2000 SP4 and Windows Vista; Windows XP SP 1 and earlier are no longer supported.[55]

Microsoft has since released a removal guide for the worm, and recommends using the current release of its Malicious Software Removal Tool[56] to remove the worm, then applying the patch to prevent re-infection.[57]

Run the malicous software removal tool.to do this open the command prompt and type

MRT.EXE /F:YThen run windows update to apply the patch to prevent reinfection

The easy step is third party av copmpanies have developed third party tools.BitDefender, Enigma Software, ESET, F-Secure, Symantec, Sophos,and Kaspersky Lab have released detection updates to their products and are able to remove the worm. McAfee and AVG are able to remove it with an on-demand scan.These tools can be located currently on the home pages of the perspective vendor's website.

-edit- Most of the third party removal tools are free and have been eluded to work better then microsofts MRT

MRT.EXE /F:Y let it completeClick StartClick Windows Updates (Automatic for Vista i beleive)Read the Terms Of Service presented by microsoftIf you agree to them click i agree and follow the On screen instructionsIf you do not agree do not click continue close the page and choose another method.

For Third party toolsOpen your web browser.Using the search bar or the Address bar type the Name of the Antivirus company you most trust that was mentioned in the earlier post.Hit enter and it will take you to either A) Their page or B) a search page in wich one of the First few results shall be the one you are looking for.On this websites Home page there should be mention of the COnficker removal tool.navigate to its page and select to download itIf prompted by internet explorer click Run If prompted after the download click RunThe program will begin its instalation.Upon completion it will ask if you would like to Run it when you click close/finishcheck thios box for yesthen click close or finishThe program will appear on your page you should then follow its instructions or the instructions provided on the site from wich you obtained it to remove the tool